![Page 1: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/1.jpg)
Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk
Marc J. ZwillingerMarc J. ZwillingerSonnenschein Nath & Rosenthal LLPSonnenschein Nath & Rosenthal [email protected]@sonnenschein.com
![Page 2: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/2.jpg)
How to avoid unwanted exposure
by Janet
Jackson
![Page 3: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/3.jpg)
Information Security Practice 2000-2004
Draft and review information security policies and procedures.
Immediate legal response to network attacks, including external penetrations and insider abuse, including California 1789.82 issues
Advise clients on laws and regulations governing the storage and exchange of electronic data over computer networks and disclosure of electronic data (Wiretap & ECPA)
Conduct Internal Investigations focusing on electronic evidence in connection with ongoing or potential litigation.
![Page 4: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/4.jpg)
Internet Enforcement Practice 2000-2004
Piracy Investigations and Litigation
Spam
• Anti-Spam Litigation
• e-Marketing (CAN-SPAM) counseling
Information Leaks (Internet boards)
Resale of corporate assets or services
![Page 5: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/5.jpg)
Agenda
Existing Information Security Legislation
and Regulations – What do they mean?
Future Legislation
FTC Inquiries and Enforcement Actions
Where is it all Going?
![Page 6: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/6.jpg)
Information Security Regulation is Here to Stay
Sources of U.S. Information Security Regulation
- Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191, 110 Stat. 1936, “HIPAA”)
-Privacy Standards
-Security Rule (2005)
- Gramm-Leach-Bliley Financial Services Modernization Act of1999 (Pub. L. 106-102, “GLBA”)
-Banking Agency Guidance (2001)
-SEC Regulation S-P (2001)
-FTC Safeguard Rules (2003)
- California Civil Code §1789.82 (formerly SB1386)
- Sarbanes-Oxley
![Page 7: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/7.jpg)
FTC Safeguards Rule
The Safeguards Rule requires each financial
institution to “develop, implement, and maintain
a comprehensive information security program
that is written in one or more readily accessible
parts and contains administrative, technical, and
physical safeguards that are appropriate to your
size and complexity, the nature and scope of your
activities, and the sensitivity of any customer
information at issue.” See 16 CFR part 314.
![Page 8: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/8.jpg)
FTC Regulations
Designate an employee or employees to coordinate
an information security program;
Assess risks in each area of operations;
Design and implement a written information security
program to control these risks;
Require service providers (by contract) to implement
appropriate safeguards for customer information
Adapt security program in light of material changes
to business
![Page 9: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/9.jpg)
California’s Bright IdeaMandatory Disclosure
Covered EntitiesCovered Entities
Require all entities who do Require all entities who do
business in California to disclose business in California to disclose
information security breaches to information security breaches to
every California resident whose every California resident whose
data was acquired by an data was acquired by an
unauthorized personunauthorized person
![Page 10: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/10.jpg)
Notice RequirementsNotice Requirements
Notice shall be made “in the Notice shall be made “in the most expedient time possiblemost expedient time possible
and without unreasonable delay, consistent with legitimate and without unreasonable delay, consistent with legitimate
needs of law enforcement . . . or any measure necessary to needs of law enforcement . . . or any measure necessary to
determine the scope of the breach and restore the determine the scope of the breach and restore the
reasonable integrity of the data system.” reasonable integrity of the data system.”
CustomersCustomers injured by violations of the statute are injured by violations of the statute are authorized authorized
to bring private lawsuitsto bring private lawsuits for damages. for damages.
Cal. Civ. Code §1798.82(a), a/k/a SB1386
![Page 11: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/11.jpg)
Monitor employee access to higher-risk personal
information
Remove access privileges of former employees and
contractors immediately
Use intrusion detection technology for systems with higher-
risk personal information
Require third-parties, including data custodians, to follow
security procedures and notify data owner upon breach
Include electronic print-outs and paper records in your
incident response plans and notification procedures
Notify within 10 business days
![Page 12: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/12.jpg)
![Page 13: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/13.jpg)
Sarbanes-Oxley Act of 2002 Establishes requirements for public companies with respect to
internal controls over financial reporting
Do "internal control" requirements apply to information security policies and procedures?
Rules require policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the [company’s] assets that could have a material effect on the financial statements.”
Section 302 – identifies internal fraud as an event that would require disclosure.
Controls relating to the prevention, identification and detection of internal fraud are part of necessary controls
![Page 14: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/14.jpg)
§§ 806 & 1107
Protects/EncouragesWhistleblowers
§ 802
Evidence PreservationDuty; Severe Penalties for destruction
§ 301Must receive and Investigate complaints/allegations of fraud
§ 404
Effective internal controls required
§ 409
Timely reporting required
Computer Investigations/Incident Response
Infrastructure
Internal InvestigationCapabilities
& & =
INTERNAL INVESTIGATIONSand Incident Response
• Nearly All Evidence is Digital • Government Investigations will focus on Computer Evidence• Data Must Be Recovered, Analyzed and Preserved in a Thorough and Rapid Manner
CEOs/CFOs mustevaluate internal controls and
disclose internal fraud
§ 302
Cooperation with SEC/Law Enforcement = Productionand Identification of Evidence
Exchange Act Release No. 44969
![Page 15: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/15.jpg)
Federal Trends
Congressional Action and Debate: Proposals by Representative Putnam, Chair of the
Government Reform Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
![Page 16: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/16.jpg)
Initial Proposal
Chairman Putnam’s Corporate Information Security
Accountability Act of 2003 (Draft)
• Would have required that publicly traded companies include a
status report with their SEC filings on their corporate
information security plans, in the form of a checklist that would
have to be certified by an independent third party auditor.
• Checklist would include a basic information security plan,
including, an up-to-date inventory of critical IT assets; a risk
assessment and corresponding risk management/mitigation
plan; an incident response plan; and a tested business
continuity plan
![Page 17: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/17.jpg)
Corporate Response
Private sector concerned with the prospect of
massive government regulation
Chairman Putnam challenged the private sector
to identify alternative approach; created
Corporate Information Security Working Group
(CISWG) composed of industry experts to develop
proposal for legislative response to cybersecurity
risks
![Page 18: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/18.jpg)
CISWG Proposals
![Page 19: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/19.jpg)
Incentives over Regulation
Positive incentives are a more effective means of implementing cyber security risk management because they would:
• Leverage private industry’s ability to innovate the tools necessary for effective cyber-security.
• Apply to the global economy through multinational corporations
• Respond to changes in technology.
• Encourage executive buy- in due to inherent advantages to a “return on investment” approach.
• Promote market-based incentive programs that are more applicable to the broad cross-section of entities who use and must protect the cyberspace.
• Complement the existing sector specific initiatives.
![Page 20: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/20.jpg)
Incentives over Regulation (II)
Duplicative and conflicting international,
national, state and local regulations create
disincentives to cyber-security
![Page 21: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/21.jpg)
Key Private Sector Incentive Recommendations
Establish generally accepted measurement tools to evaluate corporate and individual cyber security
Develop programs utilizing these measurement tools to establish programs to determine qualification, compliance and/or certification.
![Page 22: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/22.jpg)
Key Private Sector Incentive Recommendations (II)
Take advantage of the cyber-risk management programs and services offered by the cyber-insurance industry as a means of providing for business continuity and financial risk management.
Establish programs that seek to use market forces to motivate organizations to enhance their cyber security programs and practices. Industry leaders should be encouraged to identify and promote such programs among their clients.
![Page 23: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/23.jpg)
Key Government Incentive Recommendations
Publicize the positive efforts that are being made by corporations to improve cyber security beyond their own corporate walls.
Consider legislation providing liability limits and/or safe harbor protections to private sector entities.
Investigate economic incentives that would reward capital investments made by companies that purchase “certified” or information security products and services.
![Page 24: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/24.jpg)
Key Government Incentive Recommendations (II)
Enact procedures whereby in cases of a
covered cyber-disaster, FEMA payments would
be modified based on the extent to which
“Best Practices” were executed.
Encourage appropriate availability and use of
cyber-insurance as a means to protect this
nation’s critical assets.
![Page 25: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/25.jpg)
Best Practices Recommendations
Create an umbrella organization to establish, promulgate, maintain, and track the use of IS guidance that is systemic, scalable, coherent, and readily usable.
Publish the Fundamental Four and Digital Dozen as sequential components of a “Security Starter Kit” through auditors, accountants, associations, ISP’s, insurance companies and other leverage channels to proliferate use of these practices.
![Page 26: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/26.jpg)
Best Practices Recommendations (II)
Publish the IS Program Elements Framework and encourage enterprises to undertake security improvement projects
Work with industry associations and media to increase awareness of the community aspect of cybersecurity and the imperative to be responsible Internet neighbors.
![Page 27: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/27.jpg)
Enforcement Actions:Enforcement Actions:Past TargetsPast Targets
![Page 28: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/28.jpg)
On June 18, 2003 - Guess, Incorporated On June 18, 2003 - Guess, Incorporated agreed to settleagreed to settle charges charges that it exposed consumers' personal information, including credit that it exposed consumers' personal information, including credit card numbers, to card numbers, to commonly known attackscommonly known attacks by hackers. by hackers.
Personal information was not stored in an unreadable, encrypted format at all times and security measures failed to protect against SQL and other commonly known attacks.
According to the FTC press release, the settlement requires Guess According to the FTC press release, the settlement requires Guess to establish and maintain a to establish and maintain a comprehensive information securitycomprehensive information security program that must be certified by an independent professional program that must be certified by an independent professional within a year, and every other year thereafter.within a year, and every other year thereafter.
![Page 29: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/29.jpg)
On January 14, 2003, On January 14, 2003, New York AG’s settlementNew York AG’s settlement agreement with the agreement with the ACLU resulting from an incident in which ACLU resulting from an incident in which ACLU customers' personal ACLU customers' personal informationinformation -- including name, address, phone number, e-mail -- including name, address, phone number, e-mail address and a record of purchases -- address and a record of purchases -- was accessible through thewas accessible through the search mechanism on the organization's search mechanism on the organization's websitewebsite. .
ACLU’s conduct ACLU’s conduct breached specific representationsbreached specific representations in the in the organization's privacy policy.organization's privacy policy.
ACLU required to “establish and maintain an ACLU required to “establish and maintain an information security information security programprogram that includes appropriate that includes appropriate administrative, technical and administrative, technical and physical safeguardsphysical safeguards” and undergo annual, independent compliance ” and undergo annual, independent compliance reviews over the next five years. reviews over the next five years.
![Page 30: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/30.jpg)
![Page 31: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/31.jpg)
Sample Presentation
![Page 32: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/32.jpg)
![Page 33: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/33.jpg)
![Page 34: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/34.jpg)
Enforcement Questions
• Were there reasonable procedures in place to anticipate security problems?
• Was the problem foreseeable?
• How quickly was the breach caught and did it result in injury?
• Was there communication with victims and, if so, were efforts made to make them whole?
• What have the consequences been?
• Have steps been taken to make sure the problem is not repeated?
• Has security been institutionalized in the company?
• Is an “incident response system” in place?
• Has company demonstrated that they “get it”?
![Page 35: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/35.jpg)
What Does the Future Hold?
Increased likelihood of litigation based on security breaches
• More entities subject to a specified duty of care
• Erosion of “reciprocity is hell” limiting factor
Application of security standards to non-regulated entities
• Outsourcing/contractual relationships
• Insurance Prerequisite
New Federal law encouraging/requiring investment in information security resources
Much more scrutiny on incident handling and incident response
![Page 36: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/36.jpg)
![Page 37: Security and the Law: How to Decipher New Legislation and Minimize Corporate Risk Marc J. Zwillinger Sonnenschein Nath & Rosenthal LLP mzwillinger@sonnenschein.com](https://reader035.vdocument.in/reader035/viewer/2022062517/56649eac5503460f94bb22a5/html5/thumbnails/37.jpg)
Security and the Law: How to Decipher New Legislation
and Minimize Corporate Risk
Marc J. ZwillingerPartnerSonnenschein Nath and Rosenthal, LLC.